Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
18/04/2024, 08:06
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-18_ec037108d64d64dfe561c9900f421d2d_cryptolocker.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-18_ec037108d64d64dfe561c9900f421d2d_cryptolocker.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-18_ec037108d64d64dfe561c9900f421d2d_cryptolocker.exe
-
Size
40KB
-
MD5
ec037108d64d64dfe561c9900f421d2d
-
SHA1
0202642e9bb37f7e843df817f4197da7163c6dfc
-
SHA256
be217a543ee33bada0eaa1c490da6ab44ec8119f6225b4f934a3d30bb67aea56
-
SHA512
24e3fbc26b0073e62bf8dd66ce6814837b625c24b3b8913b580953470d3a314beec27529a31aee6e870a970dd8d5e8c59cb503f8d27366127ad7b12ba670d70f
-
SSDEEP
768:X6LsoEEeegiZPvEhHSG+gp/QtOOtEvwDpjBaac4HKcfr4:X6QFElP6n+gJQMOtEvwDpjBsYK6r4
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
resource yara_rule behavioral2/files/0x000800000002323c-12.dat CryptoLocker_rule2 -
Detection of Cryptolocker Samples 1 IoCs
resource yara_rule behavioral2/files/0x000800000002323c-12.dat CryptoLocker_set1 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 2024-04-18_ec037108d64d64dfe561c9900f421d2d_cryptolocker.exe -
Executes dropped EXE 1 IoCs
pid Process 3964 asih.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5080 wrote to memory of 3964 5080 2024-04-18_ec037108d64d64dfe561c9900f421d2d_cryptolocker.exe 90 PID 5080 wrote to memory of 3964 5080 2024-04-18_ec037108d64d64dfe561c9900f421d2d_cryptolocker.exe 90 PID 5080 wrote to memory of 3964 5080 2024-04-18_ec037108d64d64dfe561c9900f421d2d_cryptolocker.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-18_ec037108d64d64dfe561c9900f421d2d_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-18_ec037108d64d64dfe561c9900f421d2d_cryptolocker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
PID:3964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4080 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:81⤵PID:4776
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40KB
MD5f40c89da85854cbdada5597230023c1d
SHA1e7a7c398aecf1fe1abff02094920a6412165cb93
SHA2567d6e07ec4377ffa89c7b97c6f913bd9ea274b62a5ca87692cfe71ce65a5f66aa
SHA5122477ac139ceba2a3ff34c934165aeef1452aef8e2390b154e28fc739015f2cb7073ff8721021f4c9b2b41ce48507b4cb9562535befc352f75121c70abc52eac4